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Report: 

Privacy  has  become  a  significant  concern  in  modern  society  as  personal  information  about  individuals  is 
increasingly  collected,  used,  and  shared,  often  using  digital  technologies,  by  a  wide  range  of 
organizations.  To  mitigate  privacy  concerns,  organizations  are  required  to  respect  privacy  laws  in 
regulated  sectors  (e.g.,  HIPAA  in  healthcare,  GLBA  in  financial  sector)  and  to  adhere  to  self-declared 
privacy  policies  in  self-regulated  sectors  (e.g.,  privacy  policies  of  companies  such  as  Google  and 
Facebook  in  Web  services).  We  investigate  the  possibility  of  formalizing  and  enforcing  such  practical 
privacy  policies  using  computational  techniques.  We  formalize  privacy  policies  that  prescribe  and 
proscribe  flows  of  personal  information.  Recognizing  that  traditional  preventive  access  control  and 
information  flow  control  mechanisms  are  inadequate  for  enforcing  such  privacy  policies,  we  develop 
principled  audit  and  accountability  mechanisms  that  seek  to  encourage  policy-compliant  behavior  by 
detecting  policy  violations,  assigning  blame,  and  punishing  violators.  We  apply  these  techniques  to 
several  U.S.  privacy  laws  and  organizational  privacy  policies,  in  particular,  producing  the  first  complete 
logical  specification  and  audit  of  all  disclosure-related  clauses  of  the  HIPAA  Privacy  Rule.  In  ongoing  work 
with  Microsoft  Research,  Symantec  Research  Lab,  and  Illinois  Health  Information  Exchange,  we  are 
working  on  developing  these  methods  further  and  in  applying  them  in  industry  settings  to  provide 
greater  assurance  that  information  sharing  appropriately  respects  privacy  expectations  and  other 
institutional  agreements. 

We  provide  below  additional  details  about  the  most  significant  research  results  below.  A  complete  list  of 
publications  is  appended  at  the  end. 

1.  Formalizing  the  HIPAA  Privacy  Rule  and  Gramm-Leach  Bliley  Act 

Despite  the  wide  array  of  frameworks  proposed  for  the  formal  specification  and  analysis  of 
privacy  laws,  there  has  been  comparatively  little  work  on  expressing  large  fragments  of  actual 
privacy  laws  in  these  frameworks.  We  attempt  to  bridge  this  gap  by  giving  the  first  complete 
logical  formalizations  of  the  transmission-related  portions  of  the  Health  Insurance  Portability 
and  Accountability  Act  (HIPAA)  and  the  Gramm-Leach-Bliley  Act  (GLBA).  To  this  end,  we  develop 
the  PrivacyLFP  logic,  whose  features  include  support  for  disclosure  purposes,  real-time 
constructs,  and  self-reference  via  fixed  points.  To  illustrate  these  features  and  demonstrate 
PrivacyLFP's  utility,  we  present  formalizations  of  a  collection  of  clauses  from  these  laws.  We 
discuss  ambiguities  in  the  laws  that  our  formalizations  revealed  and  sketch  preliminary  ideas  for 
computer-assisted  enforcement  of  such  privacy  policies. 

2.  Policy  Auditing  over  Incomplete  Logs 


We  present  the  design,  implementation  and  evaluation  of  an  algorithm  that  checks  audit  logs 
for  compliance  with  privacy  and  security  policies.  The  algorithm,  which  we  name  reduce, 
addresses  two  fundamental  challenges  in  compliance  checking  that  arise  in  practice.  First,  in 
order  to  be  applicable  to  realistic  policies,  reduce  operates  on  policies  expressed  in  a  first-order 
logic  that  allows  restricted  quantification  over  infinite  domains.  We  build  on  ideas  from  logic 
programming  to  identify  the  restricted  form  of  quantified  formulas.  The  logic  can,  in  particular, 
express  all  84  disclosure-related  clauses  of  the  HIPAA  Privacy  Rule,  which  involve  quantification 
over  the  infinite  set  of  messages  containing  personal  information.  Second,  since  audit  logs  are 
inherently  incomplete  (they  may  not  contain  sufficient  information  to  determine  whether  a 
policy  is  violated  or  not),  reduce  proceeds  iteratively:  in  each  iteration,  it  provably  checks  as 
much  of  the  policy  as  possible  over  the  current  log  and  outputs  a  residual  policy  that  can  only  be 
checked  when  the  log  is  extended  with  additional  information.  We  prove  correctness, 
termination,  time  and  space  complexity  results  for  reduce.  We  implement  reduce  and  optimize 
the  base  implementation  using  two  heuristics  for  database  indexing  that  are  guided  by  the 
syntactic  structure  of  policies.  The  implementation  is  used  to  check  simulated  audit  logs  for 
compliance  with  the  HIPAA  Privacy  Rule.  Our  experimental  results  demonstrate  that  the 
algorithm  is  fast  enough  to  be  used  in  practice. 


3.  Audit  Games  for  Privacy  Protection 

We  developed  models  and  mechanisms  for  accountable  data  governance  that  can  provide 
operational  guidance  to  organizations  on  how  to  allocate  their  budget  to  best  manage  privacy 
risks  (through  audit  and  punishments)  as  well  as  evaluate  effectiveness  of  public  policy 
interventions  in  promoting  privacy-respecting  behavior  (e.g.,  HHS  audits,  data  breach  disclosure 
laws).  We  designed  models  and  algorithms  for  risk  management  in  healthcare  organizations  in 
settings  where  the  adversary's  incentives  are  known  (e.g.,  gain  from  medical  identity  theft  etc.) 
and  settings  in  which  the  adversary's  incentives  are  not  known.  We  used  the  models  to  predict 
effectiveness  of  public  policy  interventions,  in  particular,  external  audits  (e.g.,  mandated  by 
HHS)  and  data  breach  notification  laws.  A  specific  result  published  at  IJCAI  2013  is  summarized 
below:  Effective  enforcement  of  laws  and  policies  requires  expending  resources  to  prevent  and 
detect  offenders,  as  well  as  appropriate  punishment  schemes  to  deter  violators.  In  particular, 
enforcement  of  privacy  laws  and  policies  in  modern  organizations  that  hold  large  volumes  of 
personal  information  (e.g.,  hospitals)  relies  heavily  on  internal  audit  mechanisms.  We  study 
economic  considerations  in  the  design  of  these  mechanisms,  focusing  in  particular  on  effective 
resource  allocation  and  appropriate  punishment  schemes.  We  present  an  audit  game  model 
that  is  a  natural  generalization  of  a  standard  security  game  model  for  resource  allocation  with 
an  additional  punishment  parameter.  Computing  the  Stackelberg  equilibrium  for  this  game  is 
challenging  because  it  involves  solving  an  optimization  problem  with  non-convex  quadratic 
constraints.  We  present  an  additive  FPTAS  that  efficiently  computes  a  solution  that  is  arbitrarily 
close  to  the  optimal  solution. 
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